In March the National Audit Office (NAO) requested full Child Benefit database information but filtered to remove unwanted personal identity information. The filtering was rejected on cost grounds and the full database sent to the NAO on CDs. In October the NAO repeated its request and the two CDs, holding 25 million personal identity information records were lost.

It is known that a junior official had full access to the database involved and was able to burn the contents in unencrypted fashion to CDs and send them though unregistered inter-office transfer by TNT.

There are five key questions:-

1. First, why should a junior official have full access to the database and why did the system allow unencrypted copying to CD?
2. How much would it have cost to filter the database files?
3. Why did HMRC processes allow this?
4. Why didn’t senior HMRC staff, knowing about this, stop it?
5. Has there been a systemic failure in HMRC?

Why should a junior official have full access to the database and why did the system allow unencrypted copying to CD?

Q356: I suppose one of the puzzles to anyone who knows anything about the systems is that it was actually technically possible to do this. … it should not have been possible for one individual member of staff to produce a file of this kind and despatch it; there should have been a built in bar in your system which required some sort of intervention to achieve that outcome. That has been a puzzle to me from the start. Can you throw any light on that?

Related

Mr Hartnett: … it is a puzzle to me as well … The data that was in Waterview Park (where the CDS were burned) in the North East was drawn off from the child benefit computer system. That is in a different building … It was brought to Waterview Park and loaded up on to a secure, stand-alone desk-top computer in a secure environment… how on earth was it possible ever to draw down a full copy? At the moment I know it clearly was possible, but---

Q357: That is an issue of system design.

Mr Hartnett: Exactly; absolutely.

Q358: And also management disciplines imposed on that system design at the time someone conceded with the security requirements that should have been in place.

Mr Hartnett: Yes.

Q359: So it is not just some funny software engineer who did not quite do their job?

Mr Hartnett: No, it is a design issue.

PAGE 2 OF 4

How much would it have cost to filter the database files?

Q348/349/350: Turning to the loss of the child benefit discs, what would have been the cost of desensitising the material approximately? … Are we talking of 50,000, 10,000, 100,000?

Mr Hartnett: I would have thought, Chairman, it would be less than 50,000, but I do not have the precise figure.

But the likely cost wasn’t going to £50,000 or anything like it.

Q373: …. It has been put to me by somebody who works in the field of running and designing these big databases that it would be normally possible to execute the operation that was needed in separating information in the files very simply, that it would normally take very little input. …

Mr Hartnett: I think I can give you at least a preliminary view, if I may, and that is that when we needed to pass data to APACS - the clearing system - in order to enable them to get their members' number to protect accounts, we were able to segregate the data in the way you have described with our IT supplier and quickly…

Q374 answer:

Mr Hartnett: I do not know, as I said to the Chairman earlier on, what it would have cost, but we have demonstrated that this can be done and it can be done quickly and no-one alerted me, when I asked for it to be done, that I was doing something that was going to involve significant cost.

Why did HMRC processes allow this?

Q351 Chairman: Can you clarify who in the HMRC finally authorised the undesensitised material to be sent on the disc? …

Q352 answer:

Mr Hartnett: Yes, of course. To the best of my knowledge, there was no authorisation here. The team that managed that data and were established to manage the data securely in a secure environment within our offices released the data. We have two crucial rules here that if we are letting any asset, data, software, hardware, equipment, out of our offices, it has to be managed in a proper way and there has to be proper authority. If it is software, it has to be released outside the organisation with all appropriate protections. What happened here is that that did not happen. This is a dreadful mistake.

PAGE 3 OF 4

Why didn’t senior HMRC staff, knowing about this, stop it?

Nigel Jordan was a senior HMRC person copied in on urgent and confidential tagged e-mails about the data release to the NAO and about the cost issue with filtering being rejected as too expensive.

Q353: I understand that, but what is the proper authority for releasing this? In what grade in your organisation is the proper authority vested?

Mr Hartnett: Here we had set up a procedure with the National Audit Office for passing data to them. The National Audit Office did not use the procedure and we did not release the data through the procedure, and that procedure worked in a team led by our child benefit process owner, a member of the senior Civil Service, who in October knew nothing of this because the process was not followed.

Q377: … Could you confirm whether, as we have been led to believe, the process owner for child benefit (Jordan) was copied into the email exchange on 13 March, in particular the email at 15:23?

Mr Hartnett: My understanding is, yes, the process owner was copied into that email and only that email.

Q380 Mr Dunne: So the process owner, having received this email, was aware that there may be a cost to the department, was aware that other colleagues within the department were discussing the data exchange, including compliance colleagues, and presumably, even if he was not aware of the proper authorities, your compliance colleagues would have been.

Mr Hartnett: I think the crucial issue here, Mr Dunne, is what we know from the email is that it was sent. We do not know that the process owner read it or when he read it. That is one of the things we must find out. One of the very significant questions here to be answered is was the process owner in a position, having received the email, to put up his hand, if I can put it that way, and say: "Do not do this very silly thing", and that is an important question for us to know the answer to.

Here is procedural blindness. Because it was, Hartnett says, out of procedure, the mistake happened. But the process manager (Jordan) was informed and that was at least one opportunity to recognise it was covered by the procedure. Why wasn’t it taken? There is also the cost issue.

As we have seen the £50,000 cost issue was simply a mistake and no-one thought to test it. Given that Hartnett would have expected Jordan to query it and look into the matter. Jordan apparently did not.

Q368: …. Could you say, though, what the policy at HMRC is on the question of what cost is acceptable, what can be borne in certain circumstances?

Mr Hartnett: … if the cost was going to be very significant, I would expect senior managers to get involved and have a discussion with the National Audit Office about that.

Q369 answer: … I would have expected the process owner to become involved and also at that stage to have said, "Golly, we do not need to provide them with some of this information."

PAGE 4 OF FOUR

Has there been a systemic failure in HMRC?

Systemic failure can be attributed if there have been repeated failings made by an HMRC infrastructure that didn’t respond to them and didn’t react in any competent way to the issues involved.

Repeated failings

Q344: Since you were merged together, Customs and Revenue, how many cases of security breaches have there been?

Q346 answer:

Mr Hartnett: Seven breaches which we reported to the Information Commissioner.

Q399: If you have had seven serious security breaches in the two and a half years since you were set up, does that not indicate systemic failure?

Mr Hartnett: I think, Chairman, it may well do

Q400 Chairman: Is this systemic failure, do you think, linked in any way to the quite considerable reduction in head count in your organisation of over 10,100 in the last three years?

Mr Hartnett: I have not seen anything here so far which says that this dreadful mistake has got anything to do with head count reduction. It has everything to do with mistake, failing to follow procedures and of the arrangements between us and the NAO which we set up not being followed.

Note the implicit acceptance of the ‘systemic failure’ term in Hartnett’s answer.

DPA compliance

Q387: Would any of those individuals (who received the known e-mails) have had any compliance responsibility in the context that I am describing it in terms of data protection?

Mr Hartnett: No …

Q399 answer: . There are issues around our people's understanding … of the Data Protection Act and there are cultural issues here about how we approach data protection.

Techworld comment

In other words, no one in HMRC concerned with the Data Protection Act (DPA) compliance was involved in the NAO data transfer and, presumably, the earlier Standard Life transfer which resulted in 15,000 personal identity records being lost. This strikes me as a massive failure to understand the obligations of the DPA by HMRC.

We also know that no-one involved in the process questioned the cost implications. They just assumed it would be expensive. There was also no direct involvement by HMRC DPA people.

The repeated security breaches, the error over costing and inability to understand costings, the lack of proactive involvement by the senior HMRC official involved, the absence of a DPA-aware culture and the chronic security failings in the IT infrastructure design all indicate the presence of systemic failure in HMRC.